SP6 Enhancements; Various Fixes and Workarounds

TCP/IP Vulnerability Hotfix When a Windows NT system sends TCP/IP packets to another computer, each packet contains a sequence number that the destination computer uses to reassemble the packets in the correct order before processing the contents. Microsoft Support Online article Q243835 indicates that NT Server and BackOffice Server TCP/IP initial sequence numbers are predictable, which opens the door for a malicious user to access a system via IP address spoofing or session hijacking. This vulnerability exists in Windows NT 4.0, Enterprise Edition; BackOffice Server 4.0 and 4.5; and Small Business Server (SBS) 4.0 and 4.5. The good news is that you can download the TCP/IP hofixes directly from Microsoft’s Web site. You’ll find the Intel version here and the Alpha version here.

SP6 Logoff Issue Here’s the first issue to appear since the release of Service Pack 6 (SP6) a week ago: After you upgrade to SP6, the screen grays and the mouse pointer remains an hourglass indefinitely when you log off via the Start menu. This behavior must be intermittent because I didn't experience it on my SP6 system. According to Microsoft, the logoff problem relates to changes introduced in the newest version of Winlogon. To work around it, use the three-finger salute (Ctrl+Alt+Del) and click the Logoff button when the Windows NT Security window appears. This problem is one good reason to hold off on deploying SP6 to end-user workstations. Let's hope we see a post-SP6 Winlogon fix in the near future.

NT System Object Protection Service packs can remove or reset a Registry value entry that protects base system objects against unauthorized access. The Registry value entry ProtectionMode (data type of DWORD), which controls access to certain core OS components, resides in the key HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Session Manager. If ProtectionMode has a value of 0, base system object protection isn’t enabled and a user can potentially access system files that run in an elevated privilege mode not subject to typical security controls. My system has two Session Manager keys, and ProtectionMode resides in the first one. When I checked ProtectionMode, it was set to 0.

To enable base system object protection, you must set ProtectionMode to a value of 1. To keep your system secure, check this Registry value (and adjust it if necessary) each time you apply or reapply a service pack. You can find documentation of this security concern in Microsoft Support Online article Q244995.

IIS 3.0 Y2K Issue The Convlog utility included with Internet Information Server (IIS) 3.0 incorrectly converts the year 2000 to the year 2028. Microsoft has released an update for Intel and Alpha platforms that performs the year conversion properly; you must call Microsoft Support for the update (it’s not available for public download). See Microsoft Support Online article Q245329 for details.

Win9x SMS Client Mail Hang Do you have Windows 9x systems configured as Systems Management Server (SMS) 2.0 or SMS 2.0 Service Pack 1 (SP1) clients? If so, these clients might hang when a user opens an email attachment. Microsoft has updated 16 components in the SMS 2.0 client code to correct this problem, but you can obtain the updates only by calling Microsoft Support. Check out Microsoft Support Online article Q244034 for the procedure you must follow to install the SMS client hotfix and hints on distributing the new client across your enterprise.

SNA Server MMC Dr. Watson Does your SNA/SMS Server pull a Dr. Watson when you start the Microsoft Management Console (MMC) and try to open the SNA snap-in? This is a known bug in SNA Server 4.0 with Service Pack 1 (SP1) or SP2, and there's no available workaround. See Microsoft Support Online article Q241533 for more information.

SP6 Enhancements Last week, I covered some Service Pack 6 (SP6) issues, and now I'd like to discuss some of the improvements the latest update delivers. These improvements are in addition to the extensive list of networking, security, shell, and setup bug fixes you’ll find documented in Microsoft Support Online articles Q241211 and Q225037. In my first few days with SP6, I experienced problems with a local printer, and readers report printing problems from Windows 9x clients as well. Printing issues, combined with the Winlogon problem I reported above, do nothing to boost my confidence in this latest upgrade. I think a wait-and-see attitude is the most prudent approach for SP6.

Compaq has released Revision G of the hardware abstraction layer (HAL) for its Alpha systems, and SP6 includes support for the enhanced HAL functions, including the Tsunami chip. You can read about other HAL improvements in Microsoft Support Online article Q239929, but don’t be confused by Microsoft’s reference to HAL as Hardware Access List in the article! Download the new HALs from Compaq’s firmware page.

The French version of Windows NT now supports 40-bit encryption for RAS and PPTP, Systems Management Server (SMS) Remote Console, SQL Server, and Exchange Server.

NT 4.0 setup now recognizes Compaq and Dell OEM utility partitions, so you don’t have to reformat the system disk or use an alternate partition to install a fresh copy of the OS.

SP6 provides three major enhancements to print spooling, and if these improvements work as advertised, we’ll have significantly fewer print headaches to manage. First, a print job that hangs on a printer in a printer pool should resume after you resolve the error condition. Second, print jobs won't queue to a printer with an unavailable status, except when the status indicates low toner (what a concept). And third, when a print job doesn't print within a specified time, the spooler will redirect the output to another printer in the print pool.

Microsoft has extended the Add Printer wizard to give you many new print drivers, including drivers for several HP Laserjet PCL 5e printers (2100, 4000, 5000, and 8x00 series), two Lexmark Optra printers, and several postscript drivers (three Textronix Phaser printers; the HP Laserjet 4000, 5000, and 8x00 series; the Canon LBP-1760; and the Kyocera 5800C PS).

Some more information about the SP6 LOGOFF ISSUE
During testing of an installation we ran into this same issue, and therefore I have been able to pin-point a, maybe the, cause of the intermittence.
The cause which I have been chasing for is when you prevent a log-off (or reboot) from happening.
An easy way of simulating this cause is:
Open up Notepad, and type somthing in but do not save this text.
Now initiate a log-off from the start-menu.
When Notepad asks you to save the changes, press cancel.
Initiate a log-off from the start-menu again.
This behavior can be reproduced on both SP6 and SP6a.

Regarding your follow up on SP6-
It appears that Service Pack 6 and Lotus Notes clients do not work when used in conjunction with a user logon
that does not have administrator rights... I could not use Lotus Notes 4.66a until I logged in to the client computer
with administrator rights.
Removing SP6 and returning to SP6 fixed the problem.
Looks like Microsoft forgot to check to see if anyone was using TCP ports > 1024 before releasing SP6.

Microsoft Stack Master Class

Understand the complete Microsoft solution stack, how the products work together, and how to implement and maintain for a total datacenter and desktop solution. This course covers the latest technology updates including Windows Server 2016 and Windows 10 and will enable the new capabilities to be leveraged in your organization.